[Samba] Severity of unpublished CVE-2017-2619 and CVE-2017-7494

[Andrew Bartlett]

On Fri, 2017-05-26 at 11:36 +0530, Arjit Gupta via samba wrote:
> Hi Team,
> 
> Please let me know the severity of CVE-2017-2619 and  CVE-2017-7494.

They are not unpublished:

https://www.samba.org/samba/security/CVE-2017-2619.html

https://www.samba.org/samba/security/CVE-2017-7494.html

For this second bug, I did some work on CVSS scores:

I've had a go at a CVSSv3 score for the normal case here (password
required to
write to shares):

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C (8.2)

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/P
R:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

for the AD DC, assuming only sysvol/netlogon shares (which should be
admin-only) but that administrator isn't root:

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C (6.7)

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/P
R:H/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

Naturally if the users who can write to your Samba shares also hold the
root
password then this isn't really an issue, unless you assume some attack
to drop
a specific .so on a share.

That would be:

AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C (7.0)

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/P
R:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

Finally, if you allow guest upload of files, then be worried:

AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C (9.1)

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/P
R:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C


Feedback welcome.  I'm just hoping this helps folks who need to
classify this.

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba